Using libnetfilter_queue, a reinjected packet dosnt affect change, However inject copy of the packet succeeds. Why?

StackOverflow https://stackoverflow.com/questions/11511993

  •  21-06-2021
  •  | 
  •  

Вопрос

I am using in libnetfilter_queue library.

I need to change the dest ip in the packet. I change the dest ip and reinject the packet: nfq_set_verdict(qh, id, NF_ACCEPT,size, originalPacket);

but change didn't take affect.

However if i change the packet, copy it to new char array and call to set verdict with the copied array than the change take affect.

Am i doing something wrong?

Thank you

Это было полезно?

Решение

need to use NF_REPEAT verdict to reinject packet to the same chain. Using NF_ACCEPT verdict injects packet to the subsequent chain. But for this purpose you should mark packets to avoid loop, i.e.:

iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark !
--mark 0x1/0x1 -m tcp -j NFQUEUE
iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark
0x80/0x80 -m tcp ACCEPT # altered packets
iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark
0x1/0x1 -m tcp ACCEPT # rest
Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top